All Versions
Latest Version
Avg Release Cycle
49 days
Latest Release
40 days ago

Changelog History
Page 8

  • v2.3.1 Changes

    December 13, 2013
    • Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
    • Fix link for CVE-2013-6415 (number_to_currency)
  • v2.3.0 Changes

    December 12, 2013
    • Add check for Parameters#permit!
    • Add check for CVE-2013-4491 (i18n XSS)
    • Add check for CVE-2013-6414 (header DoS)
    • Add check for CVE-2013-6415 (number_to_currency)
    • Add check for CVE-2013-6416 (simple_format XSS)
    • Add check for CVE-2013-6417 (query generation)
    • Fix typos in reflection and translate bug messages
    • Collapse send/try calls
    • Fix Slim XSS false positives (Noah Davis)
    • Whitelist Model#create for redirects
    • Fix scoping issues with instance variables and blocks
  • v2.2.0 Changes

    October 28, 2013
    • Reduce command injection false positives
    • Use Rails version from Gemfile if it is available
    • Only add routes with actual names
    • Ignore redirects to models using friendly_id (AJ Ostrow)
    • Support scanning Rails engines (Geoffrey Hichborn)
    • Add check for detailed exceptions in production
  • v2.1.2 Changes

    September 18, 2013
    • Do not attempt to load custom Haml filters
    • Do not warn about to_json XSS in Rails 4
    • Add --table-width option to set width of text reports (ssendev)
    • Remove fuzzy matching on dangerous attr_accessible values
  • v2.1.1 Changes

    August 21, 2013
    • New warning code for dangerous attributes in attr_accessible
    • Do not warn on attr_accessible using roles
    • More accurate results for model attribute warnings
    • Use exit code zero with -z if all warnings ignored
    • Respect ignored warnings in rescans
    • Ignore dynamic controller names in routes
    • Fix infinite loop when run as rake task (Matthew Shanley)
    • Respect ignored warnings in tabs format reports
  • v2.1.0 Changes

    July 17, 2013
    • Support non-native line endings in Gemfile.lock (Paul Deardorff)
    • Support for ignoring warnings
    • Check for dangerous model attributes defined in attr_accessible (Paul Deardorff)
    • Update to ruby_parser 3.2.2
    • Add brakeman-min gemspec
    • Load gem dependencies on-demand
    • Output JSON diff to file if -o option is used
    • Add check for authenticate_or_request_with_http_basic
    • Refactor of SQL injection check code (Bart ten Brinke)
    • Fix detection of duplicate XSS warnings
    • Refactor reports into separate classes
    • Allow use of Slim 2.x (Ian Zabel)
    • Return error exit code when application path is not found
    • Add --branch-limit option, limit to 5 by default
    • Add more methods to check for command injection
    • Fix output format detection to be more strict again
    • Allow empty Brakeman configuration file
  • v2.0.0 Changes

    May 20, 2013
    • Add --only-files option to specify files/paths to scan (Ian Ehlert)
    • Add Marshal/CSV deserialization check
    • Combine deserialization checks into single check
    • Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
    • Avoid duplicate results for Symbol DoS check
    • Medium confidence for mass assignment to attr_protected models
    • Remove "timestamp" key from JSON reports
    • Remove deprecated config file locations
    • Relative paths are used by default in JSON reports
    • --absolute-paths replaces --relative-paths
    • Only treat classes with names containing Controller like controllers
    • Better handling of classes nested inside controllers
    • Better handling of controller classes nested in classes/modules
    • Handle -> lambdas with no arguments
    • Handle explicit block argument destructuring
    • Skip Rails config options that are real objects
    • Detect Rails 3 JSON escape config option
    • Much better tracking of warning file names
    • Fix errors when using --separate-models (Noah Davis)
    • Fix fingerprint generation to actually use the file path
    • Fix text report console output in JRuby
    • Fix false positives on Model#id
    • Fix false positives on params.to_json
    • Fix model path guesses to use "models/" instead of "controllers/"
    • Clean up SQL CVE warning messages
    • Use exceptions instead of abort in brakeman lib
    • Update to Ruby2Ruby 2.0.5
  • v1.9.5 Changes

    April 05, 2013
    • Add check for unsafe symbol creation
    • Do not warn on mass assignment with slice/only
    • Do not warn on session secret if in .gitignore
    • Fix scoping for blocks and block arguments
    • Fix error when modifying blocks in templates
    • Fix session secret check for Rails 4
    • Fix crash on before_filter outside controller
    • Fix Sexp hash cache invalidation
    • Respect quiet option in configuration file
    • Convert assignment to simple if expressions to or
    • More fixes for assignments inside branches
    • Pin to ruby2ruby version 2.0.3
  • v1.9.4 Changes

    March 19, 2013
    • Add check for CVE-2013-1854
    • Add check for CVE-2013-1855
    • Add check for CVE-2013-1856
    • Add check for CVE-2013-1857
    • Fix --compare to work with older versions
    • Add "no-referrer' to HTML report links
    • Don't warn when invoking send on user input
    • Slightly faster cloning of Sexps
    • Detect another way to add strong_parameters
  • v1.9.3 Changes

    March 01, 2013
    • Add render path to JSON report
    • Add warning fingerprints
    • Add check for unsafe reflection (Gabriel Quadros)
    • Add check for skipping authentication methods with blacklist
    • Add support for Slim templates
    • Remove empty tables from reports (Owen Ben Davies)
    • Handle prepend/append_before_filter
    • Performance improvements when handling branches
    • Fix processing of production.rb
    • Fix version check for Ruby 2.0
    • Expand HAML dependency to include 4.0
    • Scroll errors into view when expanding in HTML report